Privacy Fines: GDPR Sanctions in 2021 Exceeded $1 BillionBut Sanctions Approach Varies Widely Across 31 Countries Complying With Privacy Law
Privacy regulators in Europe last year imposed known fines totaling more than 1 billion euros ($1.2 billion) under the EU's General Data Protection Regulation, bolstered in part by two record-breaking sanctions, according to the law firm DLA Piper.
The amount of fines levied in the 12 months since Jan. 28, 2021, marked a sharp increase from the 159 million euros ($181 million) in fines seen for the preceding 12 months, according to DLA Piper's latest GDPR and data breach report. Not all of those GDPR violations involved data breaches.
Another increase from 2020 to 2021 was seen in the quantity of breach notifications. Those grew by 8%, with regulators last year receiving notifications for more than 130,000 data breaches, it says.
Since GDPR came into full effect on May 25, 2018, organizations that handle Europeans' personal data must comply with tough breach notification rules, which can include a requirement to notify authorities they have suffered a breach within 72 hours of its discovery. Failure to comply exposes organizations to fines of up to 4% of their annual global revenue or 20 million euros ($22.8 million) - whichever is greater. Organizations' ability to process people's personal data can also be revoked (see: Privacy Rights: GDPR Enforcement Celebrates Third Birthday).
Top Notifications and Fines
In a repeat from 2020, in 2021, Germany and the Netherlands logged the most breach notifications, according to the report. Last year, they were followed by Poland, the U.K and Denmark.
Per capita, the number of 2021 breach notifications per 100,000 residents was greatest in the Netherlands (151), followed by Liechtenstein (136) and Denmark (131), according to the report. "Croatia, the Czech Republic and Greece reported the fewest number of breach notifications per capita since Jan. 28, 2021," it says.
The countries with the highest individual fines levied since Jan. 28. 2021, were Luxembourg and Ireland.
Luxembourg imposed a fine of 746 million euros ($850 million) against a U.S. online retailer and e-commerce platform, according to the report. More information about the fine "is not publicly available and is subject to an ongoing appeal," the report says. That means the final amount could end up being lowered or dismissed by a court, which would of course alter the amount of total fines imposed over the past 12 months.
Ireland imposed a fine of 225 million euros ($256 million) on WhatsApp in September 2021 over its alleged failure to disclose to users how their data was being shared with parent company Facebook, which is now known as Meta.
Those two fines currently stand as the largest ever imposed under GDPR. Third place goes to France, which in January 2019 imposed a fine of 50 million euros ($57 million) on Google for transparency failures, including in the way it informed users about how their personal data was being handled, as well as for failing to properly obtain their consent for personalized advertising. While Google contested the fine, it was upheld by France's top court in June 2020.
Challenges in Tracking How GDPR Gets Applied
There are several caveats with the DLA Piper report's findings. For starters, it counts known GDPR fines across the 27 EU member states, as well as the U.K., which comply with GDPR, as do European Economic Area members Norway, Iceland and Liechtenstein. But not all GDPR fines get made public by countries' data protection authorities, and not all fines get classified by DPAs as being levied under GDPR, versus another regulation such as the EU's e-Privacy Directive.
In addition, across the 31 countries surveyed, "several have only provided incomplete statistics or statistics for part of the period covered by this report so the figures have been rounded up and in some cases extrapolated to provide best approximations," including for the U.K. and Germany, the report says. "Similarly, not all GDPR fines are publicly reported and some data only covered part of the period covered by this report."
DLA Piper also chose to not count the number of fines issued by countries, given differing approaches. Some countries, for example - including Ireland, Luxembourg and the U.K. - appear to have prioritized fewer numbers of larger, headline-grabbing fines, it says. Other countries, such as Italy and Spain, instead tend to issue more low-value fines.
"There is an open question over which approach is most effective at driving better compliance," according to the report. "While large fines attract lots of media attention and can act as a powerful deterrent, they also consume significant resources to investigate, enforce and to defend any appeals, particularly when the defendant organizations are large and well-resourced multinationals."
Seeing large fines get reduced on appeal, furthermore, "can also undermine the credibility of the enforcement process and reduce the deterrent effect of fines," the report says.
Challenge: Complying With Schrems II
While it's notable that from 2020 to 2021 there was a large increase in the total value of known fines being levied under GDPR, the report notes that another major compliance hazard for organizations has been complying with the Schrems II judgement. This judgement arose from the case known as "Facebook Ireland and Schrems," brought by Austrian privacy activist Max Schrems, which was ultimately heard by the Court of Justice of the European Union.
In that case, judges ruled that the EU-U.S. Umbrella Agreement on Data Protection - aka the Privacy Shield - launched in 2016 had been collecting personal information in a manner "not limited to what is strictly necessary," thus violating Europeans' privacy rights.
"The judgement requires organizations exporting personal data from Europe and the U.K. to third countries to carry out comprehensive mapping of those transfers and detailed assessments of the legal and practical risks of interception by public authorities in the countries where importers are located, greatly increasing the compliance burden on data exporters and importers," DLA Piper says.
Getting it wrong can expose organizations to multiple risks, including fines and losing their ability to process personal data, as well as claims for compensation from Europeans whose personal data might have been incorrectly handled.
"The threat of suspension of data transfers is potentially much more damaging and costly than the threat of fines and compensation claims," says Ross McKean, chair of DLA Piper's U.K. Data Protection and Security Group. "The focus on transfers and the significant work required to achieve compliance inevitably means that organizations have less time, money and resources to focus on other privacy risks."